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In the Claims: 

1. (Cancelled) 

2. (Currently Amended) A method for intrusion detection of network traffic 
comprising: 

storing a data file comprising data defining one or more signature definition and one 
or more parameters and associated values; 

generating, for each of the one or more signature definitions, an inspector instance 
based on the data file; 

executing, for each of the one or more signature definitions, the generated inspector 
instance to detect network traffic matching the signature definition; 

Th e m e thod of Claim 1, and further comprising: 

storing a user data file comprising one or more modified signature definitions, each 
modified signature definition comprising a signature identifier associating the modified 
signature definition with a corresponding signature definition stored in the data file; and 

generating, for each of the modified signature definitions, a revised inspector instance 
based on the modified signature definition and the corresponding generated inspector 
instance. 

3. (Currently Amended) The method of Claim 1 Claim 2 , wherein the data file 
comprises, for each signature definition, data comprising: 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the signature. 

4. (Currently Amended) The method of Claim 1 Claim 2 , wherein each 
signature definition is stored in a separate line of the data file. 

5. (Original) The method of Claim 2, wherein the one or more modified 
signature definitions comprises modified values for associated modified parameters and no 
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values indicative of the parameters in the corresponding signature definition that are not 
modified. 

6. (Currently Amended) The method of Claim 1 Claim 2 , wherein the data file 
comprises a file received from a sensor provider. 

7. (Currently Amended) The method of Claim 1 Claim 2 , wherein the data file 
comprises a file generated by a user. 

8. (Currently Amended) The method of Claim 1 Claim 2 , wherein receiving the 
data file comprises receiving the data file at a sensor configuration handler. 

9. (Currently Amended) The method of Claim 1 Claim 2 , and further comprising 
receiving configuration data from a user and storing the received configuration data in a user 
data file. 

10. (Currently Amended) The method of Claim 1 Claim 2 , and further 
comprising: 

storing a user data file comprising one or more user-defined signature definitions, 
each user-defined signature definition comprising a signature identifier not associated with 
any of the signature definitions in the data file; and 

generating, for each of the user-defined signature definitions, an inspector instance 
based on the user-defined signature. 

11. (Cancelled) 

12. (Currently Amended) The method of Claim 11 Claim 13 , wherein storing a 
customized signature file comprises storing modifications of one or more of the default 
signatures. 



13. (Currently Amended) A method for use in intrusion detection comprising: 
storing a default signature file defining one or more default signatures; 
storing a customized signature file defining one or more custom signatures; 
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automatically generating, for each of the one or more signatures defined in the default 
signature file, executable code operable to detect intrusions associated with the default 
signature; and 

Th e method of Claim 11, wherein automatically g e n e rating, for each of the on e or 
more custom signatures comprises automatically generating, for each custom signature, 
executable code operable to detect intrusions associated with the custom signature based on 
the generated executable code of an associated default signature. 

14. (Currently Amended) The method of Claim 11 Claim 13 , wherein the one or 
more custom signatures comprises modifications of the default signatures. 

15. (Currently Amended) The method of Claim 1 1 Claim 13 , wherein generating, 
for each of the one or more default signatures, comprises generating executable code 
associated with the default signature based on an inspector shell. 

16. (Original) The method of Claim 15, wherein the executable code associated 
with the default signature is operable to compare a plurality of parameter values to a plurality 
of parameter values defined by the default signature. 

17. (Currently Amended) The method of Claim 11 Claim 13 , wherein the default 
signature file comprises, for each default signature; 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the default 
signature. 

18. (Currently Amended) The method of Claim 11 Claim 13 , wherein the custom 
signature file comprises, for each signature: 

a signature identification number parameter and associated value; 
a signature name and associated string; and 

one or more parameters and respective values defining characteristics of the default 
signature. 
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19. (Original) A method for use in intrusion detection comprising: 
providing a sensor having a plurality of defined signatures; 

communicating to the sensor a desire to create a modified signature from a signature 
to be modified; 

receiving from the sensor data indicative of parameters and associated values for the 
signature to be modified; and 

providing to the sensor a modified value for at least one of the parameters to create a 
modified signature. 

20. (Original) The method of Claim 19, and further comprising storing data 
associated with the modified signature in the sensor at a location separate from the associated 
unmodified signature. 

21. (Original) The method of Claim 20, and further comprising storing in the 
sensor the name, signature identification number, and one or more parameters and associated 
values for only the modified values for the modified signature. 

22. (Original) The method of Claim 19, and further comprising communicating to 
the sensor the name of an engine associated with the signature to be modified. 

23. (Original) The method of Claim 20, wherein storing data associated with the 
modified signature comprises storing a plurality of parameter names and associated values. 

24. (Original) The method of Claim 19, and further comprising selecting a 
signature to be modified from the plurality of defined signatures. 

25. (Original) The method of Claim 22, and further comprising receiving a list 
indicative of all defined signatures associated with the engine. 

26. (Original) The method of Claim 19, wherein providing a sensor having a 
plurality of defined signatures comprises providing a sensor having a default data file 
defining the defined signatures. 
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27. (Original) The method of Claim 26, and further comprising updating the 
default file. 

28. (Original) A system for intrusion detection comprising: 

a sensor for detecting possible network intrusions, the sensor comprising: 

one or more engine groups each associated with one or more network 
detection engines; and 

a configuration handler comprising: 

a default signature file storing one or more signature definitions 
defining one or more respective default signatures for use by the sensor; and 

a user signature file storing a plurality of user-defined signatures for 

use by the sensor; and 

wherein each network detection engine is operable to generate an executable 
code based on either one of the stored default signatures or one of the stored user-defined 
signatures, the executable code operable to detect a network intrusion defined by the 
associated user-defined signature or the associated default signature. 

29. (Original) The system of Claim 28, wherein the configuration handler further 
comprising stored modifications to the default signatures. 

30. (Original) The system of Claim 29, wherein the stored modifications are 
stored in the user signature file. 

31. (Original) The system of Claim 28, wherein the configuration handler further 
comprises a user interface operable to: 

receive an identification of a signature to be modified; 

provide a list of parameters and associated values for the signature to be modified; 
receive revised values for one or more of the parameters; and 
write a revised signature to the user-defined data file. 
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32. (Original) The system of Claim 28, wherein the configuration handler further 
comprises a user interface operable to: 

provide a list of possible parameters for a particular engine; 

receive a plurality of values for one or more of the parameters to define a user-defined 
signature associated with the engine; and parameters; and 

write a user-defined signature to the user signature file. 

33. (Original) The system of Claim 28, wherein the configuration handler further 
comprises a reader and dispatcher operable to read data from the default signature file and 
user signature file and transmit the read data to the one or more engine groups. 

34. (Original) The system of Claim 28, and further comprising a management 
console associated with the sensor and operable to communicate configuration data to the 
configuration handler and receive configuration help information from the configuration 
handler. 

35. (Previously Presented) A system for intrusion detection, comprising: 
a sensor for detecting possible network intrusions, the sensor comprising: 

at least one engine; and 

a means for storing default signatures with parameter-value pairs associated 
with the default signatures and an engine parameter and an associated name for the 
engine parameter and user-defined signatures with parameter-value pairs associated 
with the user-defined signatures and an engine parameter and an associated name for 
the engine parameter for defining signatures to be detected by the at least one engine. 
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36. (Previously Presented) A method for use in intrusion detection of network 
traffic comprising: 

storing in a memory a signature definition associated with a signature to be detected, 
the signature definitions comprising: 

an engine parameter and an associated name for the engine parameter; 
an identifier for the signature; and 

one or more parameter-value pairs associated with the signature, each 
parameter-value pair comprising a parameter name and associated parameter value; 
and 

determining, based on the signature definition, the values that associated parameters 
of network traffic must take to meet the signature. 

37. (Original) The method of Claim 36, and further comprising storing a plurality 
of signature definitions in a data file, each signature definition on a different line of the data 
file. 

38. (Cancelled) 

39. (Original) The method of Claim 36, wherein each signature definition further 
comprises an identification parameter preceding the signature identifier. 
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